DPO Daily
Yesterday, the Information Commissioner’s Office published “Consent or pay guidance for the public”. While the writing has been on the wall for some time, the fact that the Commissioner has now issued public-facing advice means they’re plainly hoping that everyone will move on.
Despite the fact that the European DP establishment is moving in the other direction, Brexit means Brexit so the ICO can say that the three pronged model – pay with money, pay with data or don’t use the service – is acceptable.
The pressure group Noyb have a slippery slope argument here; if consent or pay is accepted, hotels will put cameras in your room and charge you to remove it, while “an airline could ask you to use facial recognition for boarding or to pay €20 if you want to board manually”. I don’t think this kind of logical fallacy works.
Hotels have no incentive to alienate customers by snooping on them (who would book the Spy Camera Hotel?) while if my recent experience of Manchester, Heathrow and Boston airports is anything to go by, facial recognition is firmly in place with no reference to consent. I suspect a national security justification would be deployed rather than pointing at consent or pay.
Noyb’s answer to the problem of how web content should be paid for is that sites should just charge users. I’ve spoken to a few DP specialists who land here. One IAPP luminary told me that people just shouldn’t use Facebook at all. The Privacy Pro knows best. Eat cake, you filthy muggles.
Is consent or pay legally pure? Probably not. Is it a messy compromise that most people will prefer over being told by Max Schrems that they must either pay for their favourite sites or not have access to them at all? Big publishers aren’t going to volunteer to take the contextual ads route, no matter how much you want them to.
People should be careful what they wish for. I doubt Meta would leave the EU, but Imgur pulled the plug on the UK after the ICO came knocking. If Mark Zuckerberg is gifted the opportunity to tell Brits that GDPR means they have to pay for Facebook or they can’t have it at all, he’ll take it. DP has always had an image problem with the public, and I think people would believe him. Everyone already blames GDPR for cookie banners, and ‘pay or no Instagram’ would be a disaster for any good impacts that the legislation has.
I think the ICO is in a no-win situation. I’d rather they spend their time on areas where they might succeed: inaccuracy, poor security, phone-based marketing, and other more directly harmful activities. They won’t, of course, but if we’re playing fantasy DP regulation, they’re my pick rather than this.
You are free to disagree, but the only options now are judicially reviewing the ICO’s decision (good luck with that) or suing one of the companies. I suspect someone will do so, but if the sticklers and zealots get the outcome that they want, I think the party will be short-lived.
FOI Daily
Peter William Styles is compiling an inventory of information on the chalk streams of England, because of course he is, and he asked Affinity Water Limited for a list of boreholes in their area which abstract water from a chalk aquifer.
I don’t know what a chalk aquifer is, and I refuse to find out.
Affinity is covered by the EIRs and everyone agrees that the data in question is environmental information so we’re off to the races. Affinity claim that to tell Mr Styles about the general location of these boreholes would have an adverse effect on national security and public safety because of the risk of vandalism.
Affinity’s argument is that if they disclose relevant reference numbers to Mr Styles, he may go on to request specific licenses from the Environment Agency. It is the risk of what they might disclose that is the premise of their refusal, and the Information Commissioner’s Office agreed with this frankly absurd claim.
It’s all based on the “mosaic effect”. This is the theory that by disclosing apparently harmless pieces of information, malign actors might be able to piece together a damaging whole. The Tribunal steps in with what is usually the Commissioner’s role of asking ‘How?’.
To avoid the problem, Affinity could simply tell the EA about the risk of disclosing more specific location data (specific data that Mr Styles says he doesn’t want). Instead, they put on a dog and pony show and the Commissioner was seemingly beguiled.
The decision is a bit top-heavy, with lots of procedural detail preceding a fairly perfunctory analysis, but I am persuaded by their conclusion. The claimed risk is just silly and the ICO should be asking themselves how they ended up on the wrong side of it.